Threat researchers at Lookout have discovered more than 300 loan apps that exhibit predatory behavior, such as exfiltrating excessive user data and harassing borrowers for payment in both Google Play and the Apple App Store.
The apps, which were found across countries in Africa, Southeast Asia and South America, including India, Colombia, Nigeria and Mexico, purportedly offer quick, fully-digital loan approvals with reasonable loan terms. The research revealed 251 were Android and 35 iOS lending apps were downloaded a combined total of 15 million times.
In reality, they exploit victims’ desire for quick cash in an attempt to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information on their device such as contacts, phone history, and SMS messages — information that would not be required in a valid loan application process.
In addition to predatory requests for excessive permissions, many of the loan operators display scam-like actions. Victims have reported that their personal and installment loans came with hidden fees, high interest rates, and repayment terms that were much less favorable than what was posted on the app stores. Lookout Threat Lab also found evidence that the data exfiltrated from devices was sometimes used to pressure the customer for repayment – a common threat tactic to disclose a borrower’s debt or other personal information to their network of contacts.
“Mobile apps have made managing our lives a lot easier and are a convenient way to interact with businesses such as financial institutions. However, when entrusting any app with sensitive personal information, it is extremely important to stop and ask yourself if the information being requested makes sense and if the business behind the app is a trusted entity,” said Ruohan Xiong, senior security intelligence researcher, Lookout.
“As these predatory loan apps have demonstrated, app permissions could easily be abused if users are not careful. While there are likely dozens of independent operators involved, all of these loan apps have a very similar business model – to trick victims into unfair loan terms and then extort payment.”
Lookout informed Google and Apple about the discovery of these apps which were quickly removed from the respective stores.